As reported today on Slashdot, in linux kernels prior to 2.4.23, it is
possible to map the kernel into user space with brk(), since apparently no
one ever bothered to check that the argument passed was in the lower 3 gig
of the address space.

This is almost as funny as early linux kernels in which the LDT was user

In any case, the patch is to stick the following check in do_brk() in

  if ((addr + len) > TASK_SIZE || (addr + len) < addr) 
           return -EINVAL;

This is of course a serious bug, since anyone on a vulnerable machine has
access to kernel memory by writing a terse no-brainer C program, of which
I will not give an example, because enough people on the Internet hate me
already. :)

An interesting occurrence, because it demonstrates that massive numbers of
open source participants auditing the code aren't sufficient to ferret out
every giant coding blunder.

Eric Michael Cordian 0+
O:.T:.O:. Mathematical Munitions Division
"Do What Thou Wilt Shall Be The Whole Of The Law"

Reply via email to